Bug#892032: jessie-pu: package wayland/1.6.0-2
Hello,
2018-03-04 15:44 GMT+01:00 Emilio Pozuelo Monfort <pochu@debian.org>:
> On 04/03/18 12:46, Héctor Orón Martínez wrote:
>>
>> diff --git a/debian/changelog b/debian/changelog
>> index 645a4bc..b6409a8 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,14 @@
>> +wayland (1.6.0-2+deb8u1) stretch; urgency=medium
>
> Distribution should be jessie.
Ouch! Right. Find new version attached
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
From c9f4eb1998a3b390c8b03df7c84f83608a3418fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zumbi@debian.org>
Date: Sun, 4 Mar 2018 12:29:17 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
---
debian/changelog | 11 +++++++++
debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 59 insertions(+)
create mode 100644 debian/patches/CVE-2017-16612.patch
create mode 100644 debian/patches/series
diff --git a/debian/changelog b/debian/changelog
index 645a4bc..0379671 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.6.0-2+deb8u1) jessie; urgency=medium
+
+ * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+ - libXcursor before 1.1.15 has various integer overflows that could lead
+ to heap buffer overflows when processing malicious cursors, e.g., with
+ programs like GIMP. It is also possible that an attack vector exists
+ against the related code in cursor/xcursor.c in Wayland through
+ 1.14.0.
+
+ -- Héctor Orón Martínez <zumbi@debian.org> Sun, 04 Mar 2018 12:27:36 +0100
+
wayland (1.6.0-2) unstable; urgency=medium
* Switch back to use upstream tarball.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Tue Nov 28 21:38:07 2017 +0100
+
+ cursor: Fix heap overflows when parsing malicious files.
+
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images.
+
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+
+ See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+ Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+ [Pekka: add link to the corresponding libXcursor commit]
+ Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+ XcursorImage *image;
+
++ if (width < 0 || height < 0)
++ return NULL;
++ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++ return NULL;
++
+ image = malloc (sizeof (XcursorImage) +
+ width * height * sizeof (XcursorPixel));
+ if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
+ if (!_XcursorReadUInt (file, &head.delay))
+ return NULL;
+ /* sanity check data */
+- if (head.width >= 0x10000 || head.height > 0x10000)
++ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
++ head.height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+ if (head.width == 0 || head.height == 0)
+ return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
--
2.16.2
Reply to: